Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Cloud Computing & Privacy | Main | Healthy Paranoia: A Nice Note That Brightened My Day! »

Continued Use Of Site Means Consent to Privacy Policy Changes?

I speak with many folks about the importance of published website privacy policies, along with the issues of obtaining consent...not implied but explicit/express...to change the terms of privacy policies.

I also participate in LinkedIn, and I have found it to be a great and valuable tool to network and communicate with other information security and privacy practicitioners.

So, today when I logged in I was quite interested to see the following banner posted on the home page...

"We've updated! On November 14, 2008, LinkedIn published revised versions of our Privacy Policy and our User Agreement. Using LinkedIn means you consent to these policies, so please take a few minutes to read and understand them."

Hmm...

And I was interested to see that once I navigated away from the page, then returned, the policy change notice was not re-posted.

Trying to use this type of implied consent has had significant troubles in the past for several other organizations and businesses, and the FTC does not look too kindly upon making changes to privacy policies in this way and telling the users that just by using the site they are giving consent. Most individuals using the site don't like this kind of situation, either.

As just one example, here is an excerpt from the FTC's "Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles" report regarding getting explicit, or "affirmative express," consent for material changes in privacy policies...

":3. Affirmative express consent for material changes to existing privacy promises

Issue:

• Industry and consumer representatives alike state that the privacy policy - a set of commitments about how information is handled - not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses. It is widely recognized, however, that businesses may have a legitimate need to change their privacy policies from time to time.

Proposed Principle:

• As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers.

This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data."

I haven't read the actual LinkedIn privacy policy changes yet, but it will be interesting to see if the changes made could be considered as material changes, and if the brief, one-time notice given about the change could even be enforceable as a valid type of consent by site users to agree to the policy change.

Tags:                          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on November 25, 2008 10:26 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/859

Comments

Internet web site policies have definite problems. I'm just recovering from spending a half hour reading a site's policy just to find out the exact terms on the gift certificates I want to buy. I still didn't get to the certificate terms. I'm going to read that after I shake the zombie feeling from reading too much legalese. I don't know when we'll fix site policies, but they are definitely worth keeping an eye on!

Posted by: Suzanne | December 17, 2008 10:24 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.